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Abstract 

We study the role of help in Non-Interactive Zero-Knowledge protocols and its relation to 
the standard interactive model. In the classical case, we show that help and interaction are 
equivalent, answering an open question of Ben-Or and Gutfreund ( |BG03) ). This implies a new 
complete problem for the class SZK, the Image Intersection Density. For this problem, we also 
prove a polarization lemma which is stronger than the previously known one. 

In the quantum setting, we define the notion of quantum help and show in a more direct way 
that help and interaction are again equivalent. Moreover, we define quantum Non-Interactive 
Zero-Knowledge with classical help and prove that it is equal to the class of languages that have 
classical honest- Verifier Zero Knowledge protocols secure against quantum Verifiers ( |WatQ6l 
IHKSZ07] ). Last, we provide new complete problems for all these quantum classes. 

Similar results were independently discovered by Dragos Florin Ciocan and SaHl Vadhan. 
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1 Introduction 



In the setting of Zero-Knowledge, the Prover can prove to the Verifier that the answer to an instance 
of a problem, e.g. an NP problem with a witness w, is Yes without giving any other information. In 
particular, the person that receives the proof does not learn anything about w or any other witness. 
In order to create this kind of proofs, the Prover and the Verifier interact with each other. The 
condition "without giving any other information" has been formalized in |GMR89l IGMW91] and 
this security condition has been defined in the computational and the information-theoretic setting. 

We are interested in the information-theoretic setting and the class SZK (Statistical Zero- 
Knowledge) where an exponentially small amount of information is leaked. This class has been 
widely studied and many properties thereof are known (eg. |Oka96l rVad99j ). Some non-interactive 
models have also been defined where there is a single message from the Prover to the Verifier. If 
the Prover and Verifier do not share anything in the beginning of the protocol, then the resulting 
class is no larger than BPP. However, we can enhance the model, either by having the Prover 
and Verifier share a uniformly random string (the NISZK class, see |DMP88| . |GSV99| ) or some 
limited trusted help (the NISZK^i^ class). 

The class NISZK\h was introduced by Ben-or and Gutfreund [GBOO| . In this setting, the Prover 
and Verifier receive in the beginning of the protocol some help from a trusted third party, the Dealer. 
The Dealer has polynomial power, hence the help is "limited", however he knows the input to the 
problem. They showed that help does not add anything if we allow interaction {SZK = SZK\h). 
They also described a complete problem for the class NISZK^^, the Image Intersection Density 
{I ID), and showed that NISZK C NISZK\f^ C SZK, in other words that help can always be 
replaced by interaction. They also claimed to prove the opposite inclusion, SZK C NISZK\j^, 
however they later retracted from this claim ( |BG03| ). 

In this paper, we start by proving that indeed help and interaction are equivalent in Zero- 
Knowledge proofs, i.e. SZK = NISZK\^i^ (Section [4]). Our result can be thought of as showing 
that the power of SZK lies only in the fact that there is a trusted access to the input (from the 
Verifier or from the Dealer). It will hopefully provide some more insight into the relation between 
the classes NISZK and SZK , which is a main open question in the area. Moreover, we show 
that the IID problem remains complete for a wider range of parameters. For the proof we use a 
polarization lemma that is based on new bounds on the Statistical Difference problem (Appendix 

ED. 

In 2002, Watrous defined a quantum analog of Zero-Knowledge proofs ( |Wat02| ) and studied 
the quantum class QSZK. Since then, there has been a series of works that deal with the power 
and limitations of quantum Zero-Knowledge proofs ( |Kob03l IWat06l IKobOTj ) as well as attempts 
to find classical interactive protocols that remain zero-knowledge even against quantum adversaries 
r |Watn6[[HKSZr)7] ^. 

In the second part of our paper, we start by studying the class QNISZK that was defined by 
Kobayashi in |Kob03j . Using new results from |BT07| . we give two complete problems for this class, 
the Quantum Entropy Approximation (QEA) and the Quantum Statistical Closeness to Uniform 
(QSCU). These complete problems are the quantum equivalents of the complete problems for 
NISZK. However, due to the fact that quantum expanders are different than classical ones, the 
proof is different than in the classical case (Section [5|). 

In addition, we study the role of help in quantum Zero-Knowledge protocols. We define the 
notion of quantum help and show in a straightforward way that it is again the case that help and 
interaction are equivalent. We also define quantum Zero-Knowledge with classical help, provide a 
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complete problem for the class and deduce that the message of the Prover can also be classical. 
This allows us to prove that this class is equivalent to the class of languages that have classical 
interactive protocols that remain zero-knowledge even against quantum honest Verifiers (Section El). 

2 Preliminaries 

We start by describing some operations on probability distributions and proceed to provide defini- 
tions for classical and quantum Zero Knowledge classes and their complete problems. 

2.1 Operations on Probability distributions 

Let X : {0, 1}" {0, 1}™ be a polynomial size circuit. The distribution encoded by X is the 
distribution induced on {0,1}"* by evaluating X on a uniformly random input from {0,1}". We 
abuse notation and denote this distribution by X, in other words, X is both a circuit that encodes 
a distribution and the distribution itself. Also, Vn is the set of probability distributions on {0, 1}". 

Denote by SD{X,Y) the Statistical Difference between X and y, SC{X,Y) their Statistical 
Closeness, Disj{X,Y) the Disjointness of X according to Y and mat-Disj the mutual Disjointness 
between X and Y . 

• SD{X,Y) = \Y.i \xi -yi\ = l- Y^im.m.{xi,yi) 
. SC{X, Y) = l- SD{X, Y) = min(x„ y,) 

. Disj{X,Y) = ^\{i e {0,1}" I Vj G {0,1}", X{i) / y(i)} 

• mut -Disj{X,Y) = min{Disj{X,Y),Disj{Y,X)) 

Note that Disj{X, Y) < SD{X, Y) and that Disj{X, Y) / Disj{Y, X) but mut-Disj{X, Y) =mut- 
Disj{Y,X). 

Tensor Product X (g>Y corresponds to the distribution {X,Y). If X e Vn and Y G Vm then 
X (g) y G Vn+m- We denote X^'^ the distribution that results by tensoring X k times. 

Prop 1 (Direct Product Lemmas). Let X,Y any probability distributions. Then, 

1. SD{X,Y) = 5^1- 2exp-^'^'/2 < 5i?(X®^, y®'^) < kS 

2. Disj{X,Y) = 6 ^ Disj{X®^,Y®^) = 1 - (1 - 5f 

XORing Distributions We define the XOR operator which acts on a pair of distributions and 
returns a pair of distributions. Let (^, -B) = XOR{Xq.,Xi). Then, 

A : pick b £r {0, 1}, return a sample of Xi, X^ 
B : pick b £fj {0, 1}, return a sample of Xi, (g) Xj, 

Prop 2 (XOR Lemmas). Let X,Y probability distributions and {A,B) = XOR{X,Y) . Then, 

1. SD{X,Y) = 5 =^ SD{A,B) = 5^ 

2. mut-Disj{X,Y) = 5 =^ mut-Disj{A, B) = 6"^ 
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Flat Distributions Let X a distribution with entropy H{X). Elements xi of X such that 
I log(xj) + H{X)\ < k are called /c-typical. We say that X is A-flat if for every t > the probability 
that an element chosen from X is t • A-typical is at least 1 — 2~* +^ . 

Prop 3 (Flattening Lemma). Let X : {0, 1}" — > {0, 1}"* a circuit that encodes a distribution. Then 
is Vk ■ n-flat. 

2-Universal hashing functions A family TC of 2-Universal hashing functions from A ^ B is 
such that for every two elements x,y A and a,h ^ B Prh^z^jil h{x) = a and h{y) = h] = 

Prop 4 (Leftover hash lemma). Let Ti a samplable family of 2-Universal hashing functions from 
A ^ B. Suppose X is a distribution on A such that with probability at least 1 — 6 over x selected 
from X , Pr[X = x] < e/\B\. Consider the following distribution 

Z : choose h ^ TC and x <— X. return {h, h{x)) 

Then, SD{Z,L) < 0{5 + e^^^), where L is the Uniform distribution onTC x B. 

2.2 Classical Zero Knowledge 

Zero Knowledge proofs are a special case of interactive proofs. Here, we also want that the Verifier 
learns nothing from the interaction other than the fact that x G Ily when it is the case. The way 
it is formalized is that for x G Hy, the Verifier can simulate his view of the protocol defined by all 
the messages sent during the protocol as well as the verifier's private coins. 

Definition 1. IT G SZK iff there exists an interactive protocol {P,V) that solves IT such that there 
exists a function S computable in polynomial time and a function n G negl{k) <C l/poly{k) that has 
the following property : 

Vx G Uy, SD (^S{x, 1^=), {P, V)v) < li{k) 

S is called the simulator. We also have the following non-interactive variants of SZK: 

• NISZK : We suppose here that the Prover and the Verifier additionally share a truly random 
string r. We want the Verifier to be able to simulate both the random string and the message mp 
from the Prover on Yes instances. 

Definition 2. IT G NISZK iff with a truly random shared string r, there exists an non-interactive 
protocol {P, V) that solves 11 such that there exists a function S computable in polynomial time and 
a function fi G negl{k) <^ l/poly{k) that has the following property : 

VxGHy, SD (^S{x,l^),{r,mp{r,x))^ < ^(fc) 

• NISZK|h : We suppose here that the Prover and the Verifier additionally share a string h that 
is generated by a trusted third party (the dealer) using some coins unknown to the verifier and the 
prover. This string is called the help and can depend on the input. We want the Verifier to be able 
to simulate both the help and the Prover's message on Yes instances. 

Definition 3. IT G NISZK^^^ iff there exists a non-interactive protocol {D, P, V) that solves H 
where : 
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• The prover and the verifier share some help h which is a random sample of D depending on 
the input. 

• There exists a function S computable in polynomial time and a function /i G negl{k) <C 
l/poly{k) that has the following property : 

VxeHy, SD (^S{x,l''),{h,mp{h,x))^ < Kk) 

2.3 Quantum Statistical Zero Knowledge 

Quantum Statistical Zero Knowledge proofs are a special case of Quantum Interactive Proofs. We 
can think of a quantum interactive protocol {P,V){x) as a circuit {Vi{x), Pi{x), . . . ,Vk{x), Pk{x)) 
acting on V ® ® P. V are the Verifier's private qubits, Ai are the message qubits and V are 
the Prover 's private qubits. Vi{x) (resp. Pi{x)) represents the i*'* action of the Verifier (resp. the 
Prover) during the protocol and acts on V (resp. M. i^V). Pi corresponds to the state that 
appears after the i*'* action of the protocol. 

In the Zero-Knowledge setting, we also want that the Verifier learns nothing from the interaction 
other than the fact that x £ Ily when it is the case. The way it is formalized is that for x € Ily, 
the Verifier can simulate his view of the protocol. We are interested only in protocols where the 
Verifier and the Prover use unitary operations. 

Let (P, V) a quantum protocol and Pj defined as before. The Verifier's view of the protocol is 
his private qubits and the message qubits. view(^py){j) = Tr-p{(3j). We also want to separate the 
Verifier's view whether the last action was made by the Verifier or the Prover. We note po the input 
state, Pi the Verifier's view of the protocol after Pi and the Verifier's view of the protocol after 
Vi. 

We say that the Verifier's view can be simulated if on an input x, there is a negligible function 
fi such that Vj we can create aj with quantum polynomial computational power such that 

\\aj - viewv,p{j)\\ < p{\x\) 

Note that for a state a such that ||cj — Pi\\ < it is easy to see that a' = Vi-^iaV^_^i is close 

to ^i+i = Vi+ipiV^j^-^^ in this sense that \\a' — < Therefore we just need to simulate the 

Pi's. 

Definition 4. A protocol {P,V) has the zero-knowledge property for H if for each input x € Ily, 
there is a negligible function p such that Vj we can create aj with quantum polynomial computational 
power such that 

hj - pjW < p{\x\) 

This formalizes the fact that on Yes instances, the Verifier does not learn anything from the 
protocol except the fact that the input is a Yes instance. 

Definition 5. IT G QSZK iff there exists a quantum protocol {P, V) that solves 11 and that has the 
zero-knowledge property for IT. 

In the setting of Quantum Non-Interactive Statistical Zero-Knowledge, first defined by Kobayashi 
|Kob03j . the Prover and Verifier share a maximally entangled state J2i ION) ^^^d then the Prover 
sends a single quantum message to the Verifier. 
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Definition 6. IT G QNISZK iff, when the Prover and Verifier share the maximally entangled 
state 1^)10; there exists a quantum non-interactive protocol {P, V) that solves IT and that has the 
zero-knowledge property for IT. 

The notion of quantum help is more intricate and will be the subject of Section [6l 
2.4 Complete problems for Zero-Knowledge classes 

The complete problems for the Zero-Knowledge classes are promise problems. A promise problem 
n is defined by two disjoint sets Ily and IlAr. An instance X of IT is an element of Hy U H^. We 
say that 11 reduces to (11 ^ U) iff there exists a poly-time computable function / such that 

X eUy ^ fix) e Uy and X eUN ^ f{X) G Otv 

If n =<; O then n is no-harder than 0. We can define the complement problem IT as follows : 
Ily = Hat and Hn = Hy. In what follows, X,Y are circuits encoding probability distributions. 

SZi^-complete problems (see [SVOO] . |GV98j l : 

Statistical Difference (SD) Entropy Difference (ED) 

{X, Y) G SDy SD{X, Y) > 2/3 (X, Y) G EDy H{X) - H{Y) > 1 
{X, Y) G SDn SdIx, Y) < 1/3 (X, Y) G EDn H{Y) - H{X) > 1 

NISZK-com.^\ete problems (see [GSV99]) : 

Entropy Approximation (EA*) Statistical Closeness to Uniform (SCU) 

X G EAt^ =^ H{X) >t+l X e SCUy SD{X,I) < 1/n 

X G EA^^ H{X) <t-l X e SCUn SD{X, I) > I - 1/n 

X/5Zi(r|/i-complete problem (see |BG03j ) : 

Image Intersection Density (IID) Mutual Image Intersection Density (mut-IID) 

{X, Y) G II By SD{X, Y) < l/n2 {X, Y) G mut-IIDy SD{X, Y) < l/n^ 

{X,Y) G IIDn Disj{X,Y) > 1 - l/n^ {X,Y) G mut-I/L>jv mut-Disj{X,Y) > 1 - l/n^ 



Note that we can change the parameters to other parameters a and (3. For example, SD°''f^ 
corresponds to : {X,Y) G SBp'^ =^ SD{X,Y) > a and {X,Y) G =^ SD{X,Y) < [3 

Similarly, we can define the quantum equivalent problems QSD, QED, QEA* and QSCU. 
In this case, X, Y are the density matrices that correspond to the output qubits of the circuits, 
SD{X, Y) is the trace distance and the entropy is the von Neumann entropy. 
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3 A new polarization lemma for the IID problem 

The Zero-Knowledge protocols usually require from the promise problems some parameters that are 
exponentially close to or 1. Polarizations are reductions from promise problems with worse param- 
eters to promise problems that can be solved by the protocol. For example, there is a polarization 
for the SD problem which transforms SD""'^ with > 6 to SD^~'^ for any k G poly{n). 

The best polarization that was known for IID was that reduces to IID'^ "'^-^ ' 

and henceforth jg complete for NISZK\h ([BG03]). We will show here that IW^^ 

is complete for NISZK\i^ with b > 2a [a and b are constants). We first improve an upper bound 
on statistical difference and then use it to prove this new polarization lemma for the IID problem. 
The proofs are presented in Appendix El 

To prove a polarization lemma on the SD problem, the following bounds were used : 

Fact 1 f [Va,d99j ). Let X,Y two probability distributions st. SD{X,Y) = 5. Then 

1 - 2exp^'=^'/2 < SD{X^^,Y^^) < k6 
We can improve the upper bound on Statistical Difference to 

SD{X'^\y'^'') < 1 - (1 - J)'^ < m 
by using the following lemma (proof in Appendix [A]) . 

Lemma 1. Let X,Y,Z,T four probability distributions with SD{X,Y) = 6i and SD{Z,T) = 62. 
Then, 

SD{X Z, y T) < 1 - (1 - - ^2) = 61 + 62- 6162 

Using the new upper bound, we prove in Appendix lAl that 

Prop 5. mut-IID"-'^ ^ mut-IID^ ^,1-2 ^ b > a (a,h constants). 

To show completeness theorems and make the link with the IID problem, we will use the 
following fact proven in |BG03| . 

Fact 2. Let {Xo,Xi) E /IL>"'2^ Construct {A,B) as following : 

A : pick r G/j {0, 1} and b {0, 1}, return (X;,(r), b). 
B : pick r £r {0, 1} and b £fi {0, 1}, return {Xb{r),b) 

We have : {Xo,Xi) G IID^^^ {A, B) G mut-IID^^ and {Xq,Xi) G IID"^^^ {A,B) G 
mut-IID°^ . This being true when b > a. 

Theorem 1. mut-IID"-'^ is complete for N I S Z K\h when b > a and IW'^ is complete for N I SZK\h 
when b > 2a. IID"^'^ is NISZK^f^ complete for any a, b with b > 2a (a, b constants). 

Proof. Let a,b with b > a. Using the protocol of |BG03j . we know that mut-//-D^ '=,1-2 -g 
NISZK^f^ so using Prop [Sj mut-I/Z)"''' G NISZK^^. For hardness, we note that the proof in 
|BG03j also extends when we replace IID with mnt-IID. mut-IID ^ mut-II-D'^'^ (because a,b 
are constants) and mut-//-D°'* is hard for NISZK^f^. We extend this result by using the fact that 
jj^a,2fe ^ uiut-IW'^ (for b> a) using fact [2l □ 
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In the next section ,we will use this polarization lemma to show that NISZK^^^ = SZK. This 
will, in turn, imply that IID"^'^ is complete for b"^ > a using the polarization used for the SD 
problem. Our initial polarization is still interesting because it shows that problems like /IL)i/^o,3/io 
are in SZK, something which was not known before. 



4 Equivalence of help and interaction in Statistical Zero-Knowledge 

We show here that help and interaction are equivalent in the Statistical Zero-Knowledge setting 
Theorem 2. SZK = NISZK\f, 

Proof. We know that NISZK\h C SZK because IID, the complete problem of NISZK\h, trivially 
reduces to SD, the complete problem of SZK. In what follows we also prove the opposite inclusion, 
i.e. SZK C NISZK\h (Lemma [2]). □ 

In [GBOOj, the authors claimed to have proven this theorem, but due to a flaw they retracted 
it in [BG03J. Their reduction from the SZK-complete problem ED to IID was in fact only a 
reduction to SD. Nevertheless, inspired by their method we show a reduction from EA to IID. 

In order to prove that help can replace interaction we follow |GSV99| and reduce the SZK- 
complete problem ED to several instances of EA and EA using the following fact : 

Fact 3 ([GSyM]). Let X' = X®^ and Y' = y®^ „ ^/^g ^^^^^^ ^^-^g x' and Y' . It holds that. 

{X' e EAy) V {Y' G EA\.) 



{X,Y) £ EDy^yt G {!,... ,n} 



{X,Y) £EDN^3t£ {!,..., n} 



{X' G EAlf) A {Y' G EA 



Nj 



We know that EA G NISZK\i^ (since by definition NISZK C NISZK^^) so it remains to show 
the following two things: 

1. EA G NISZKfi : In order to this, we use similar tools to the ones in [Vad99j and especially 
the "Complementary use of messages" originally used in |Qka96] . 



2. NISZK^f^ has some boolean closure properties : this will allow us to reduce ED to a single 
instance of IID. In order to this, we use similar techniques than the ones used in [SV98j since 
mut-IID and SD are very similar. 

Note that this approach is similar to |GSV99j in their attempt to show that NISZK = SZK. 
They showed that if NISZK = co - NISZK then NISZK = SZK. We show here that co - 
NISZK C NISZK^fi which suffices us (with the closure properties) to show that NISZK^f^ = 
SZK. 



4.1 EA belongs to Non-Interactive Statistical Zero-Knowledge with help 



To show that EA G NISZK^^, we reduce the EA problem to the IID problem which is complete 
for NISZK\h. 

Let X an instance of EAl , i.e. an instance of EA with approximation parameter t. Let k = 
poly{m), where m is the input size and define X' = X^^ with s = Akm?. Note that the input size 
of X' is m' = sm and H{X') = sH{X). We have 
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Claim 1. Let Z = X' ® I, where I is the uniform distribution. We can create Z' in polynomial 
time such that : 

• X £ 'EAy SD{Z, Z') < 2-^(^) 

• X e KA^N =^ Disj{Z, Z')>1- 
Proof. Construct Z' as following: 

Z' : choose r G/? {0, 1}™', x = X'{r), h GnHm'+st^m', u^r {0,1}"^ return {x,{h,h{r,u))). 

Note that Z' is of the form Z' = X' A so we need to show that, when fixing x G X' , we 
have either SD{I,A) small (in the Yes instance) or Disj{I,A) large (in the No instance). Prom the 
Flattening lemma (see Preliminaries) we have 

Fact 4. 

1. X' is A-fiat with A = 2\pkrr? ■ s was chosen such that s = 2\/kA. 

2. Let x^X' . Pt[x is VkA-typical] > 1 - 2^^(^). 

For X G X' , let wt{x) = log \{r \ X'{r) = x}\. When x £ X' is fixed, the number of different 
possible inputs {r,u) that are hashed is 2"'*(^)+**. Prom the flattening lemmas, it is easy to see that 
if H{X) <t — l then wt{x) will be large with high probability whereas if H{X) >t + l then wt{x) 
will be small with high probability. In more detail, 

(i) H(X) < t - 1. 

For all X £ X' which are \/A-A-typical we have log ^|{r | X'{r) = x}\ + H{X') < \/kA. 
Hence, 

wt{x) >m'- sH{X) - VkA > m' - st + s - VkA > m' - st + VkA. 

Therefore, the number of inputs {r,u) such that X'{r) = x and u £ {0, 1}** is greater than 
2m'+VkA > 2"^'+'^, By the leftover hash lemma (see Preliminaries), SD{{h,h{r,u)),L) < 
0(2-^('^)). By Pact HJ the probability of a -/fcA-typical x is larger than > 1 - 2~^('^) and 
hence we can conclude that SD{Z, Z') < 2-^'-''\ 

(ii) H(X) > t + 1. 

For all X £ X' which are \/A;A-typical we have 

wt{x) <m' - sH{X) + v^A <m' - st- s + VkA < m' - st - VkA. 

Therefore, the number of inputs (r, n) such that X'{r) = x and u £ {0, 1}^* is smaller than 
2m'-VkA ^ 2™'-^. Since we hash at most 2""'"^ values into {0, 1}""' , we get only a 2~'' fraction 
of the total support and hence Disj{I,h{r,u)) > 1 — 2"^^'^). By Pact HJ the probability of 
a v^A-typical x is larger than > 1 — 2"^'^'^) and hence we can conclude that Disj{Z, Z') > 

□ 
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Prom the distribution X, we have created Z,Z' in polynomial time such that : 

• X G KAy =^ {Z, Z') G IIDy. 

• X e 'EAn {Z, Z') G //Djv- 

So EA ^ IID and from the completeness of IID for NlSZK^y^^ we have EA G NISZK^/^. 

4.2 Closure properties for NISZK\h 

Closure properties have been widely used in the study of Zero-Knowledge classes (see [DDPY94j 
or [SV98| ). Every promise problem 11 G NISZK\}^ reduces to the mut -IID promise problem and 
hence, we just have to concentrate on this problem. Note that this problem is very similar to the 
SD promise problem and hence we use similar techniques to those used to show closure properties 
for SZK from the SD problem. In our case, we just need to show some limited closure properties 
that will be enough to prove that ED G NISZK^f^. 

Definition 7. Lei n\ . . . , some promise problems. We define AND{Ii^, . . . , n'^) : 

• (xi,...,x'=)G^iVD(ni,...,n'=)y^ViG{i,...,fc} g 

• {X^,...,X^) G AND{U^,...,II'')n ^ 3i G {!,..., A;} G ff^ 

In the AND definition, we assume k to be of size polynomial in the input size, i.e. k G poly{n). 
Definition 8. Let IT, two promise problems. We define ORiJi, Q.) : 

• {X, Y) G OR{Ii, J7)y ^ X G Hy or y G 

• {X,Y) eOR{Tl,Q)N ^ X eJlN andYGQN 

We will show that NISZK\^^ is closed under AND and OR which is enough for our purposes. 
Claim 2. NISZK\f, is closed under AND. 

Proof. Let n\ . . . , n*^ in NISZK\h and (A^, . . . , an instance of AND{Ii^, . . . , H*^). We reduce 
each n* to the mut-I/D problem which means that we transform each A^ into a pair of distributions 
{X\Y^) such that A^ G n^. {X\Y') G mut-/IL>y and A^ G ff^ {X\Y^) G mui-IIDN- Let 
X = X^ ® ■■■ ® X^ and Y = Y'^ ® ■ ■ ■ ® Y^ . We first polarize each pair {X^Y"-) such that 
{X\Y^) G mut-I/L»i/"''='i-i/"' (which is possible since k G poly{n)). Then, we use the following 
fact from |Vad99j and |BGn3| : 

Fact 5. 

• SD{X,Y) < Y.iSD{X\Y') 

• mut-Disj{X,Y) > maxi mut-Disj{X^ jY"^) 

Prom this fact, we can easily see that {A^ , . . . , A'') e AND{Il^, II^)y => {X, Y) G mut-IIDy 
and that {A^,...,A'') G AND{U^ , . . . ,n'')N {X,Y) G mut-//L>Ar, which concludes our proof. 

□ 

Claim 3. NISZK^^ is closed under OR. 
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Proof. Let H, 17 G NISZK^j^. Let I an instance of H and J an instance of Q. We reduce / to a 
pair of distributions (-^^O'^o) such that I £ Uy ^ (^O'^o) ^ mut-/IDy and / G Hjv ^ (-'^O'^o) ^ 
mut-I/DAT. Similarly, we reduce J to a pair of distributions {X[,Y(). Using our polarization, we 

create {Xq,Yq) and {Xi,Yi) that are instances of mut-/I-D Now, consider the follow- 

ing two distributions 

A : pick b Gr {0, 1}, return a sample of (g) Yf). 
B : pick b {0, 1}, return a sample of Xf^ (g) Y^. 

This is a generalization of the XOR transformation and was used in [Vad99j to show closure 
properties for SZK . We now use the following fact 

Fact 6. \Vad99l and fBGO.'^ 

. SD{A,B) = SD{Xo,Yo)*SD{Xi,Yi) 

• mut-Disj{A, B) = mut-Disj{Xo,YQ) * mut-Disj{Xi,Yi) 

Prom this, we can easily see that {Xq,Yq) G mut-I/Dy " 'V(^~^/" ) (^Xi,Yi) G mut-IIDy " ) 

{A, B) G IIDy. Similarly, if (Xq, Yq) G mut-/IZ)]v^"''^^^"^^"'^ and (Xi, Fi) G mut-//Z?]v^"''^^^"^^"'^ ^ 
(^,-6) G mut-//-D7v. We have therefore reduced Oii(n, $7) to a single instance of mni-IID. Since 
mut-IID is in NISZK\h we conclude that Oi?(n, G NISZK\h. □ 

4.3 Help can replace interaction 

We can now prove that help can replace interaction and hence conclude the proof of Theorem [2l 
Lemma 2. SZK C NISZK^f, 



Proof. We show that ED G NISZKh, which will allow us to conclude since ED is complete for 
SZK. Let {X,Y) an instance of ED. 

We have already shown that EA and EA are in NISZK\h. Moreover, we have closure under 
Oi?, and hence for all t there exists a promise problem 11* G NISZK\}^ and an input A* such that 

(X', Y') G or(ea\ ea^)y ^ a* g n*y 
(X', Y') G or(ea\ ea^)n ^ ^* g n*v 

Therefore, 



(X, y) G ed y ^ g {1, . . . , n}A* G n*, 

(X, Y) G ^ 3t G {1, . . . , n} ^* G 



and from the closure under AND we conclude that ED G NISZK\h. □ 

This theorem has some interesting corollaries. 

Corollary 1. NISZK^j^ has all the properties of SZK like closure under complement or closure 
under boolean formula. 



10 



It is interesting to find a non-interactive class that has all the properties of SZK. It means that 
the power of SZK lies only in the fact that there is a trusted access to the distributions (from the 
Verifier or from the Dealer). 

Corollary 2. The IID problem is complete for SZK. 

We have here a new complete problem for SZK. This problem is easier to manipulate and could 
be used to find other results about SZK. 

5 Complete problems for QNISZK 

In this section we study complete problems for the class QNISZK. Note that Kobayashi showed 
a complete problem for the case of Non-Interactive Perfect Zero-Knowledge, however was unable to 
extend his proof to the case of Statistical Zero-Knowledge. 

We continue this line of work and give two complete problems for QNISZK, the Quantum 
Entropy Approximation and the Quantum Statistical Closeness to Uniform. These are the natural 
generalizations of the NIS ZK-complete problems EA, SCU. Ben-Aroya and Ta-Shma showed that 
QEA reduced to QSD. In fact, during their proof, they showed that QEA G QSCU°''^ but these 
parameters a, h were not good enough to show that QEA G QNISZK. We will modify their proof 
to show that QEA G QNISZK and then conclude using similar techniques than the ones used in 
the classical case (see |GSV99| as well as the analysis of QNISZK done by Kobayashi [Kob03j ). 
The proof will follow from the following three lemmas. 

Lemma 3. QEA G QNISZK. 

Proof. We modify the proof of |BTn7| to show that QEA G QNISZK. Let X an instance of QEA^ 
with input size m and I the totally mixed state. 

Claim 4 ([BT07]). We can create X' such that 

• X e QEAy SD{X',I) < 5e 

. X eQEAN^SD{X',I) > 2^ 

where q > 21og(l/e) + log(gm) + 0(1) and also q > y^log{l /e)y/qn + 1. 

We apply this claim with the following parameters : fix e = 2~'^ with k G poly{n) and then 
q G poly{n) that satisfies the constraints. Let X' be the resulting distribution. Now let r = 
8k{qm)'^ G poly{n) and Y = X'®'^ . By using bounds on Statistical Difference, we have 

• X G QEAy SD{X',I) < 5re < 2"^^ 

• X e QEAn SD{X',I) > 1 - 2-'= 

Kobayashi showed in |Kobn3| that QSCU'^' ' G QNISZK and hence by our claim that 
QEA 4 QSCU^''^^-^''^ we conclude that QEA G QNISZK. □ 

Lemma 4. QSCU 4 QEA. 
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Proof. We use the following fact about the relation of trace distance and von Neumann entropy 
Fact 7. Let X a quantum state of dimension n. 

1- \\X - l\\tr < a ^ S{X) > 7i{l -a- 1/2"). 

2. \\X - I\\tr >f3^ S{X) <n- log(i^). 

Let X a quantum mixed state of dimension n > 16. \\X — I\\tr < 1/n =^ S{X) > n — 2. 
\\X — f\\tr > 1 — =^ S{X) < n — 4. When n < 16, we can solve QSCU polynomially. We have 
a reduction from QSCU to QEA. □ 

Lemma 5. Every problem in QNISZK reduces to QSCU. 

Proof. The proof of hardness for QNIPZK extends naturally to this problem. We will not repeat 
the proof here. The interested reader can see [Kob03| for this proof. □ 

It now follows immediately that 

Theorem 3. QEA and QSCU are complete for QNISZK. 

Proof QSCU is hard for QNISZK and QSCU ^ QEA so both problems are hard for QNISZK. 
QEA E QNISZK and QSCU 4 QEA so they are both in QNISZK. □ 

6 Help in quantum Non-Interactive Zero-Knowledge protocols 

In classical Non-Interactive Zero-Knowledge, the Prover and Verifier start with a shared uniformly 
random string, which is independent of their input. Classical help was a natural generalization of 
this and was defined as a shared string created by a trusted third party with polynomial power (the 
Dealer) who has access to the input. 

In quantum Non-Interactive Zero-Knowledge, the Prover and Verifier share a maximally entan- 
gled state with the Prover having the first register and the Verifier the second. Note that 
this state is pure and independent of the input x. 

Help with unitaries We define quantum help as a generalization of the maximally entangled 
state. We suppose here that there is a trusted Dealer with quantum polynomial power that performs 
a unitary Ux and creates a state hpv in the space V xV. The Prover gets hp = Try{hpy) and the 
Verifier gets hy = Trp{hpv). Note that the state hpy is a pure state and depends on the input. 

Definition 9. We say that H G QNISZK\h if there is a non-interactive protocol {D,P,V) that 
solves n with the Zero-Knowledge property, where the Verifier and the Prover share a pure state 
hpv created by a Dealer D that has quantum polynomial power and access to the input. They also 
start with qubits initialized at |0). We denote by {D,P,V) the entire protocol. 

Next, we prove that help and interaction are equivalent in the quantum setting, but with a much 
easier proof than in the classical case. 

Theorem 4. QNISZK\h = QSZK 
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Proof. We start by showing that QNISZK^f, C QSZK. Let U G QNISZK^f, and {D,P, V) denote 
the protocol. Since hpy is a pure state, we can create another protocol (P, V) where the Verifier 
takes the place of the Dealer. Because the Dealer is a unitary (and has no private qubits), this can 
be done. The protocol is the same so soundness and completeness are preserved. The first message 
in {P, V) can be simulated because the circuit^of the Dealer is public and computable in quantum 
polynomial time. The second message in (P, V) can be simulated because of the Zero-Knowledge 
property of the protocol {P, V). 

The inclusion QSZK C QNISZK\i^ is immediate, since there exists a two message protocol for 
a QSZi^-complete problem (see |Wat02j ). The first message of the Verifier can be simulated by the 
Dealer's help. □ 

Using non-unitaries The unitary restriction is natural when dealing with quantum Zero-Knowledge 
classes. However, unitary help does not allow the dealer to keep some information private. In fact, 
we can imagine a stronger quantum help, where the Dealer can perform any quantum operation in 
order to create the help. For example, he can create a quantum state, keep part of it to himself and 
share the rest of the state between the Prover and the Verifier. 

It is not hard to see, that in this way, the dealer can create an even stronger type of classical 
help, namely where he can give secret correlated messages to the Verifier and the Prover. Since we 
know that NISZK^^^ = AM (see [PSM]) we can conclude that non-unitary help is very strong. 
Note also that with non-unitaries we don't know if help and interaction are equivalent. The case 
of Quantum Zero Knowledge protocols with non-unitary players is indeed very interesting and we 
refer the reader to |CK07| for more results. 

6.1 Quantum Non-Interactive Zero-Knowledge with classical help 

We now define two "hybrid" classes, where the Prover and Verifier are quantum, however in the 
beginning of the protocol they only share classical information. These classes have very interesting 
connections to the class of languages that possess classical zero-knowledge protocols secure against 
quantum adversaries, i.e. the class studied by Watrous |Wat06j and Hallgren et al |HKSZ07j . We 
start by providing some appropriate definitions. 

Definition 10. We say that a circuit C is e-probabilistic if 



This y will be called the natural image of x and will be noted Natc{x) 

We now define g-samplable distributions as follows: 

Definition 11. A distribution D £ V is called q-samplable if it can be represented by a 2~^- 
probabilistic circuit C (k £ poly{n)) with classical input and output and such that in order to 
compute C{x) for any x, we need a BQP machine. 

To deal with g-samplable distributions, we also extend the definition of Disjointness to proba- 
bilistic circuits. 

Definition 12. 



Vx, 3!y, Pr{C{x) = y) > I - e 




r6{0,l}' 



.71 
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Disj{X,Y) must be understood as follows : "If I take a random x of X, and I'm given a y (poten- 
tially the best), what is the probability that Y{y) = x ?" 

Note that when the second distribution (Y) is described by a deterministic circuit then this 
notion of disjointness is equivalent to the original one. 

Prom this fact, we will show a simple relationship between Statistical Difference and Disjointness. 
In the case of deterministic distributions, we know that Disj{X,Y) < SD{X,Y). 

Lemma 6. Let {X,Y) be 2 e- probabilistic circuits. We have : Disj{X,Y) < SD{X,Y) + 2e. 

Proof. Let {X,Y) be 2 e-probabilistic circuits. We define Y as following : Y{r) = Natyir). We 
can easily see that SD{Y,Y) < e and that Disj{X,Y) < Disj{X,Y) + e. From this, we conclude 
that : 

Disj{X, Y) < Disj{X, Y) + e< SD{X, Y) + e< SD{X, Y) + 2e 

□ 

Note that 2~"-probabilistic circuits behave similarly (with exponentially small difference) to 
deterministic circuits. This means that we can apply polarization lemmas and extend all the com- 
pleteness theorems that were shown with classical distributions to g-samplable distributions. We 
can now study QNISZK^^^. 

Definition 13. We say that 11 G QNISZK^^i^ if there exists a non-interactive protocol {P, V) that 
solves n with the Zero-Knowledge property where the Verifier and the Prover start with some classical 
help h distributed over a distribution D prepared by a trusted Dealer with quantum polynomial power. 
We want the dealer D and the simulation S to be q-samplable distributions. The prover and the 
verifier also start with |0) qubits. We denote {D,P,V) the entire protocol. 

Let us define the problem IIW: Let X,Y two g-samplable probability distributions which are 
describes by 2~'^-probabilistic circuits 

• {X,Y) G IID^. SD{X,Y) < 1/4 

• {X,Y) e IID% Disj{X,Y) > 3/4 

We prove that this problem is complete for QNISZK^^h by the following two lemmas. 
Lemma 7. IID^ G QNISZK\^h- 

Proof. Let {X,Y) an instance of IIV. Using our polarization lemma, we construct {X',Y') such 
that {X,Y) G IID^. SD{X',Y') < and {X,Y) G IID% Disj{X',Y') > 1 - 2-^= for some 
k G poly{n). We use the same protocol as for the classical case: 



Protocol in QNISZK\^h for the IW problem 

H : create x' ^ X' and reveal it. 

P : send r such that Y'{r) = x' . 
V : Verify that Y'{r) = x' 
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This protocol is the same as the one used in |BG03j . Note that the completeness and soundness 
correspond exactly to the Disjointness of the two distributions and hence they follow from Lemma 
[6l Moreover, working on g-samplable distributions doesn't change the Zero-Knowledge property 
and hence it follows immedaitely from [BG03j . □ 

Lemma 8. Every problem in QNISZK\ch reduces to IIW 

Proof. The proof of Ben-Or and Gutfreund that II D is hard for NISZK^f^ can be naturally extended 
to the case where the Verifier and the Dealer are BQP machines by taking into account that the 
distributions are now g-samplable. 

Consider a promise problem 11 S QNISZK^^i^. Let {D,P,V) be a non-interactive protocol for 
n with completeness c{k), soundness s(A;)and simulator deviation fj,{k) with 1 — c{k), s{k), fj,{k) £ 
negl{k). Let x an instance of 11. Consider now the two following distributions : 

Dq : run the Dealer D on x. 

Di : run the simulator k £ poly{n) times on x with the same coins to get k samples {h,mp). 
Note that these copies are the same with exponentially high probability because the simulator is 
2-'-'('=)-probabilistic. Run the accepting procedure A on each copy of {x,h,mp). Output h if V 
accepts the majority of the times and _L otherwise. 

• li X £ Hy then the Verifier will accept the majority of times with probability (1 — 2"'^^'^)) 
because of completeness. In this case, the distribution Di is equal to the simulation of the 
help, which has statistical difference ii{k) from the real help. Since the distribution Dq is the 
distribution of the real help, we have SD{Do, Di) < fi{k)+2-^^^'^ < 1/4 and {Dq, Di) G IID^. 

• Let X G Hat and B be the set of help strings, such that h £ B ^ 3 mp Pr[A{x, h,mp) = 
Yes] > 1/3 where A is the verifying procedure of V. The probability that Dq produces a 
sample h £ B (and therefore a sample in U {-L}) is < 3s{k) due to the soundness condition. 
It also holds that the probability that Di produces a sample in BU{1.} is > 1 — 0{2~^). This 
can seen as follows: the probability that Di outputs h £ B is equal to the probability that the 
Verifier accepts the majority of times, when running A k times with h £ B, which happens with 
probability at most 2-0(*^). We conclude that Disj{DQ,Di) > (1 - 2('^('=)))(1 - 3s{k)) > 3/4 
and {Dq,Di) £ IID% 

Since the Dealer and Simulator are g-samplable, the distributions Dq and Di are also g-samplable. 

□ 

and hence Di is 2~'^('^)-probabilistic 
Prom Lemma [7] and Lemma [HI we have 

Theorem 5. IID'^ is complete for QNISZK^^f^. 

Similarly, we can define Quantum Non-Interactive Zero-Knowledge where the Prover and the 
Verifier share a classical random string. We denote this class QNISZKr- Let us define SCV^ as 
the statistical closeness to uniform applied on a g-samplable distribution. By the same arguments 
SCVi is complete for QNISZK\r. 

Using these complete problems, we have the following interesting corollary 

Corollary 3. In QNISZK\^ and QNISZK^^^, the Prover sends a classical message. 
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Proof. This is true because there is a protocol for II D'' and SCU^ where the Prover sends a classical 
message and these two problems are complete. □ 



Now denote by SZKq the class SZK where the Verifier and simulation use quantum polyno- 
mial power. In other words, this is the class of languages that have classical protocols which are 
Zero-Knowledge against quantum Verifiers. Similarly, define the classes HVSZKq and NISZK^fi,q 
(where both the Verifier and the Dealer use quantum power). The class SZKq was studied by Wa- 
trous f |Watn6j ) and Hallgren et al [KKSZOTj . It remains open to show whether these three classes 
are equal to each other, which is true when the Verifier is classical. 

Note that by corollary [3l we have that QNISZK^^f^ = NISZK^f^ q. Using our analysis of 
NISZK^hi we can show the following : 

Theorem 6. NISZK\h^q = HVSZKq 

Proof. Similar to the case of HVSZK , we can show that SD'' is complete for HVSZKq (see also 
[Vad99| ) where SD'i is the natural extension of SD applied to g-samplable distributions. Prom 
section HI we know a reduction from SD to IID. The same reduction works from SD^ to IID'^ 
so HVSZKq C QNISZK\^h = NISZK\h,q. Because trivially reduces to we have 

HVSZKq = NISZK\h,q. ' □ 



7 Conclusion and further work 

Our work settles the question of the role of help in Zero-Knowledge protocols by showing that it 
is equivalent to interaction. In other words, we showed that the only thing that is important to 
create a statistical Zero-Knowledge proof is a trusted access to the input (from the Dealer or from 
the honest Verifier). This will hopefully shed some light into the relation of Non-Interactive and 
Interactive Zero-Knowledge, which still remains open. 

In the quantum setting, we gave the first formal definition of help for Zero-Knowledge protocols. 
We showed that quantum help is also equivalent to interaction and that the case of classical help is 
closely related to the class of languages that have classical zero-knowledge protocols secure against 
quantum Verifiers. It would be interesting to see if quantum help could also give some interesting 
results concerning the class SZKq, and especially whether SZKq = HVSZKq. 
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A Details of the polarization of IID 

Proof. (Lemma [l|) Define ws{X) = Ylii^s^i *° weight of X e Pn on the set S C {0,1}", 

S{X,Y) = {i e {0, 1}"| Xi < Vi} and S{X,Y) the complement. Fix X,Y,Z,T four probability 
distributions with ci = l-^i = SC{X, Y),C2 = I-S2 = SC{Z, T) and c=l-6 = SC{X®Z, Y®T). 
Let A = S{X,Y), A' = S{Z,T), A and A' the complementary sets, ai = wa{X), (3i = WAiY), 
"2 = wa'{Z) and P2 = wa'{T). We have : 

ci = ^ min(xj, yi) = t(;A(^) + Wa^O^) = ai + 1 - /5i and C2 = 02 + 1 - 

i 

We now show that c > C1C2. 

c = y^min(a;jZj,yjt-,) 

= ^ min(3;iZj,yjtj) + ^ min(xi2:j, yjtj) 
ieA,jeA' i^AjeW 

+ ^ min(xi2;j,yitj) + ^ min(a;i2;j, yjtj) 

> XiZj+ 5^ 

iGAjeA' jg^jg347 i^Aj^A' ieAjeA' 

> aia2 + ai(l - P2) + "2(1 - A) + (1 - /3i)(l - /?2) 

> C1C2 

By replacing the statistical closeness by the statistical difference, we get 

5 < 1 - (1 - <5i)(l - 52) 

□ 

Proof. (Prop [5]) Let two constants a, b such that 1 > 6 > a > 0. We do this reduction in three steps: 

1. We show that mut-/IL>"''' mut-/IZ)'^-"'<^+" with a > and (p = 

2. We show that mut-/IL>'?^-°'<^+" ^mut-/IL>i/"''i-i/"' . 

We show the first reduction by the following lemma: 
Lemma 9. Let a, b such that b> a. There exists a > such that mut -II D"^'^ ^ mut 

Proof. Let X, Y two distributions and a, b with b > a such that SD{X, y) < a or voMt-Disj^X, Y) > 
b. We are going to construct a pair of distributions {A, B) with the property that either SD{A., B) < 
(/> - a or umi-Disj{A, B) >(j) + a. Let T and T' such that T, F' ^ Im{X) U Im{Y). We define the 
following distribution: 

Ar,u,xix) = With probability u return X{x) else return F. 

Similarly, we define the distributions Ar^uxi^)^ ,u,x{x). We have 
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• SD{X, Y)<a ^ SD{AY,u,x,Ar,u,Y) < v?a. + 2u(l - u) = f{u, a). 

• mut-Disj{X,Y) > b =^ mut-Disj{Ar,u,x , Ar,u,Y) ^ u'^b + 2u{l - u) = f{u,b) 

• SD{X, Y)<a ^ SD{Ay,u,x, ^r',«,y) < u^a + 2u{l - n) + (1 - uf = g{u, a) 

• mut-Disj{X,Y) > b =^ raut-Disj{Ar^u,x,^r',u,Y) ^ u'^b + 2u{l - u) + {1 - n)^ = g{u,b) 

Let 6 = {a + b)/2. If 6 = (f), then the distributions X,Y already have the desired property. 
If 5 > (j) then from the fact that the function / is continuous, f{0,S) = and f{l,S) = 5, we 
conclude that there exists a constant uq G [0,1] such that f{uo,6) = (p. The pair of distributions 

UQ,x T Ar,uo,Y) desired property 

• SD{X, Y)<a ^ SD{Ar,uo,x,Ar,uo,Y) < ^la + 2no(l - no) = <^ - n^^. 

• mut- Dis j {X, Y) > b =^ mut- Dis j {Ar, uo, x, Ar^uox) ^ '^o^ + '^'^o{f - uq) = (p + u^^. 

Similarly, for the case 6 < (j) we use the distributions (^r,M,x, ^r',«,y) and the function g. □ 

In order to show our third reduction, we need the following claim : Let X and Y two probability 
distributions. Denote {U, V) = XOR{X, Y) and let T : Pn x Pn ^ P2n x P2n be the operator 
T{X,Y) = {U^U,V^V). 

Claim 5. Let {A,B) = T{X,Y) 

SD{X, Y)<a^ SD{A, B) < 1 - {1 - a^f 

mut -Disj{X,Y) > (5 ^ mut -Disj{A, B) > 1 - {1 - p^f 

Proof. The proof follows from our new upper bound on SD, the Direct Product Lemma and the 
XOR Lemma. 

SD{A,B) = SD{U (g)U,V (g)V) < I - {I - SD{U,V))'^ = I - {I - {SD{X,Y))^f 
< i_(i_a2)2 

mut-Disj{A, B) = 1 - (1 - umt-Disj{U, V)f = 1 - (1 - {m\it-Disj{X, Y)ff 
> 1- (1-/32)2 

□ 

We now have: 

Lemma 10. Let (j) = For any a > (constant), mut-nD*-''^'^+<^ 4 //Z)i/nM-i/"\ 

Proof. Let f{x) = 1 - (1 - x^f and Ui+i = f{Ui). The fixed point of / is (/> = By a 

straightforward study of /, we can see that li Uq < (f) — a then < and \i Uq > 4> -\- a then 
Uk>l — l/n^ with k = poly{n). 
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Let {A\B^) = r{X, Y). By the previous Claim, we know that SD{A\ B') and mut -Disj{A\ B') 
behave hke Ui. Then, for {A,B) = T^{X,Y) we know that the size of the final distribution is 
n • 2" = poly{n) and 

SD{X,Y) < (p- a =^ SD{A,B) <l/n'^ 
mut-Disj{X, Y)> 4> + a mut-Disj{A, B) > I - l/n^ 

□ 

Prom the original polarization of |BG03| . we know that mut -//L>i/"^i-i/"' ^ niut -IID^ "'^-^ * 
Putting these two reductions together as well as the original polarization, we have that for 1 > 6 > 
a > 0: 

^ mut -IID^'^ 4 mut _i/£)<^-"-<^+" ^ mut ^ ^ut -IID^'" 

□ 
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